On Mon, Apr 01, 2013 at 03:25:48PM -0700, Walter Bright wrote: > On 4/1/2013 2:20 PM, Simen Kjærås wrote: > >I am reminded of Therac-25[1]. though the situation there was > >slightly different, similar situations could arise from not turning > >off hardware. > > Relying on a program running correctly in order to avoid disaster is a > terrible design. Even mathematically proving a program to be correct > is in no way, shape, or form sufficient to deal with this.
"Beware of bugs in the above code; I have only proved it correct, not tried it." -- Donald Knuth T -- Кто везде - тот нигде.